Brute force attack & SPAM configuration

[quanah]

I'm using file2ban, I want to underline that the ip address of the client who made the login attemps is not correct (it's my server public ip) and this is a problem.
Please explain what do you mean when you write it is an attack aginst postfix, i see port 7071 into the log.

How can I understand if my zimbra is using DSPAM or Spammassasin or all together?

Port 7071 is the port used by AUTH requests via SOAP. So when user X connects to port 465/587 to send email via Postfix, and they AUTH to do so, that generates a SOAP request TO port 7071 on their behalf to auth them. Trying to block port 7071 will only make it so NO ONE can send email via 465/587. Since the SOAP request is generated on the MTA that is why you see your SERVER IP.

I hope this explanation help.

Regards,
Quanah

Following your suggestion on other thread and reading the suggested resource I've mitigated the SPAM problem:

test:
zmlocalconfig antispam_enable_rule_updates
RES:antispam_enable_rule_updates = false
zmlocalconfig antispam_enable_restarts
RES:antispam_enable_restarts = false

Setting:
zmlocalconfig -e antispam_enable_rule_updates=true
zmlocalconfig -e antispam_enable_restarts=true
zmlocalconfig -e antispam_enable_rule_compilation=true
zmamavisdctl restart
zmmtactl restart

But I would like to kno who is doing the job? DSPAM or Spammassassin?
ps aux|grep -i spam
gave 0 output

Amavis does. I suggest you read up on https://wiki.zimbra.com/wiki/Anti-spam_Strategies. However, none of this applies to the case of someone who has hacked one of your users and is using your server to send out spam. For that, you need to monitor the postfix logs in /var/log/zimbra.log and find the spammer and the user they've hacked, and then fix things from there.

[TitusI]

I'm still not cpable to kno the Ip of the attacker...in log I only see my own server IP.

qtp509886383-501971:https://my.server.wan.ip:7071/service/admin/soap/]

If I activete the admin login it suddenly go lockout again due to a lot of failed access...from WHO?
On another server, they do the same job,and now the service for the web admin console

zimbra webapp Running
zimbraAdmin webapp Running
zimlet webapp Running

doesent start ang give me a 404.
If I give a zmcontrol restart nothing change, there are no stale pid (as far as I can see) how can I start them one by one?

[rojoblandino]

Fail2ban does not work, i am recieving more than a million of ip trying to auth to my accounts each time from several ip so if i block them it does nothing next time the attempt comes from another ip.

Do you know any other move to avoid this kind of attacks?

Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data.

Any recomendation? fail2ban is good for simples attacks from same ip, but when the attacker has more than a million of ip? What kind of step can be implemented in this situation?

[pup_seba]

Your problem seems a little weird. More precisely this:
"Many of my accounts are being autolock and it does not work changing the pass, it get lock or steal by the spammer attacker. The pass are not easy and nor random, they are big phrases and out of dictionary data."

If this is the case, attackers are limited to 10 attempts each ten minutes and if they lockdown the account they will have a 1hr time to cool off their attack (in default configuration), which makes really difficult for an attacker to "brute force" a password like the one you are describing. Could it be that their computers are infected with a keylogger or similar? Could it be that you are using an external LDAP for authentication with "fail to local auth" option enabled? and thus changing the user password in the external ldap but not doing it in the zimbra openldap?

To fight against attacks, basically the only things I am aware of are:
- fail2ban
- DOS Filter
- Login policies via COS

[zimico]

How do you know that hacker is using more than one million IPs?
Regards,

[L. Mark Stone]

One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark

[zimico]

One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark

I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?
Best regards.

[L. Mark Stone]

One strategy here is to configure account lockout policies such that DoSFilter (or fail2ban) starts throttling/blocking requests before the mailbox is locked out.

In that way, a legitimate remote user will not be locked out by a hacker doing a fast-paced dictionary attack.

Hope that helps,
Mark

I tested DOSfilter and lockout policy. DOSfilter blocks bad IP but account is still locked out. Do you have the same issue Mark?
Best regards.

I do not have the same issue, because I configure DoSFilter to block the IP before the account is locked out -- assuming all the bad attempts come from one IP address. If it is a distributed attack from many IP addresses simultaneously, then yes, the mailbox will likely be locked out.

Mark

[eowhinn]

Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:

Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]

please give me a hand regards.

[L. Mark Stone]

Dear, I am following your recommendations and install fail2ban according to your instructions, but when I want to launch fail2ban I get the following:

Starting fail2ban: ERROR Error in action definition iptables-allports[name=Zimbra-account]
ERROR Errors in jail 'zimbra-account'. Skipping...
ERROR Error in action definition iptables-allports[name=Zimbra-audit]
ERROR Errors in jail 'zimbra-audit'. Skipping...
[FAILED]

please give me a hand regards.

You have errors in your fail2ban configuration files. If you use Google to search for "zimbra fail2ban" you'll get lots of hits with actual jail file suggestions.

Hope that helps,
Mark